Developer-targeting campaign using malicious Next.js repositories

A coordinated campaign is targeting developers through malicious repositories disguised as legitimate Next.js projects and technical assessment materials. The attack uses multiple entry points that lead to runtime retrieval and local execution of attacker-controlled JavaScript, transitioning into staged command-and-control. The campaign employs three main execution paths: Visual Studio Code workspace automation, build-time execution during application development, and server startup execution via environment variable exfiltration and dynamic remote code execution. The attack chain includes a Stage 1 C2 beacon for registration and a Stage 2 C2 controller for persistent tasking. This sophisticated approach allows attackers to blend into routine developer workflows, increasing the likelihood of code execution and potentially compromising high-value assets such as source code, environment secrets, and access to build or cloud resources.

Pulse ID: 699e18510d30e21605243f81
Pulse Link: https://otx.alienvault.com/pulse/699e18510d30e21605243f81
Pulse Author: AlienVault
Created: 2026-02-24 21:29:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #InfoSec #Java #JavaScript #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #Troll #bot #developers #AlienVault

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust remote support software is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary OS commands with high privileges. Observed attacker activities include network reconnaissance, account creation, webshell deployment, C2 traffic, backdoor installation, lateral movement, and data theft. Affected sectors include finance, legal, technology, education, retail, and healthcare across multiple countries. Attackers are using tools like SparkRAT, VShell, and custom scripts for exploitation. The vulnerability is related to a similar one from 2024, highlighting the need for improved input validation and defense-in-depth strategies for remote access platforms.

Pulse ID: 6997aaa340e2e5c6cdac145f
Pulse Link: https://otx.alienvault.com/pulse/6997aaa340e2e5c6cdac145f
Pulse Author: AlienVault
Created: 2026-02-20 00:28:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DataTheft #Education #Healthcare #InfoSec #OTX #OpenThreatExchange #RAT #RemoteCodeExecution #Rust #Vulnerability #bot #AlienVault

🚨 CRITICAL: CVE-2026-27180 in sergejey MajorDoMo allows unauthenticated RCE via poisoned update URLs. Attackers can deploy arbitrary PHP files to webroot with 2 GETs. Patch urgently! https://radar.offseq.com/threat/cve-2026-27180-download-of-code-without-integrity--99709b79 #OffSeq #CVE #infosec #remotecodeexecution

Critical Vulnerabilities in Ivanti EPMM Exploited

Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile are being actively exploited, allowing unauthenticated remote code execution on servers. Widespread exploitation has been observed, including reverse shells, web shells, reconnaissance, and malware downloads. Affected sectors include government, healthcare, manufacturing, and technology in multiple countries. Over 4,400 vulnerable instances have been identified. Attackers are moving quickly from initial access to deploying persistent backdoors. Immediate patching is strongly recommended, as exploitation attempts are largely automated and opportunistic.

Pulse ID: 6995249be065bbf8bec34118
Pulse Link: https://otx.alienvault.com/pulse/6995249be065bbf8bec34118
Pulse Author: AlienVault
Created: 2026-02-18 02:31:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Endpoint #Government #Healthcare #InfoSec #Ivanti #Malware #Manufacturing #OTX #OpenThreatExchange #RemoteCodeExecution #ZeroDay #bot #AlienVault

[Windows 11 메모장의 원격코드실행 취약점

Windows 11 메모장에는 마크다운 파일 내의 악성 링크를 통해 원격코드실행이 가능한 취약점이 발견되었습니다. 공격자는 사용자가 해당 링크를 클릭하도록 유도하여 검증되지 않은 프로토콜을 실행하고 원격 파일을 로드 및 실행할 수 있습니다.

https://news.hada.io/topic?id=26632

#windows11 #security #vulnerability #remotecodeexecution

Anthropic says the newly disclosed zero‑click RCE bug in Claude Desktop Extensions isn’t a design flaw to fix, citing the Model Context Protocol’s architecture. The debate raises big questions for AI agents and cybersecurity. What does this mean for developers and users? Dive into the details. #AIagents #ClaudeDesktop #RemoteCodeExecution #Cybersecurity

🔗 https://aidailypost.com/news/anthropic-declines-patch-reported-ai-agent-vulnerability-cites-design

https://winbuzzer.com/2026/02/11/claude-desktop-zero-click-vulnerability-10000-users-xcxwbn/

10,000+ Claude Desktop Users Exposed by Zero-Click Flaw

#Claude #Anthropic #RemoteCodeExecution #Security #Cybersecurity #Vulnerability #MCP #GoogleCalendar #Google #LLMs

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

8.8 #CVE in #Microsoft #Notepad allows #RCE #RemoteCodeExecution

https://winbuzzer.com/2026/02/06/amd-refuses-fix-critical-autoupdate-rce-vulnerability-xcxwbn/

AMD Won't Fix Critical RCE Vulnerability in its AutoUpdate Software

#AMD #RemoteCodeExecution #Cybersecurity #Security #Vulnerability #WindowsSecurity #Gaming #Hardware #Semiconductors

https://winbuzzer.com/2026/01/22/hackers-breach-fortune-500-companies-exploiting-security-testing-apps-xcxwbn/

Hackers Breach Fortune 500 Companies Exploiting Security Testing Apps

#Cybersecurity #DataBreaches #Malware #Hackers #AWS #GCP #Azure #CloudSecurity #ThreatActors #CyberThreats #RemoteCodeExecution #DataSecurity

YAML Load Executes Arbitrary Code Compromising 470 Servers?!

YAML RCE APOCALYPSE! yaml.load() executes Python! Attacker uploads malicious config! Backdoor on all servers! 4.7M database exfiltrated! $47M breach! CISO ARRESTED!

#python #pythondisaster #yaml #remotecodeexecution #configloading #productionbug #pythonshorts #pythonwtf #deserialization #careerending #criminalcharges #pyyaml

https://www.youtube.com/watch?v=Lvvwf-SaDeE

Oops, apocalypse ...

Critical n8n bug allows unauthenticated server takeover • The Register
https://www.theregister.com/2026/01/08/n8n_rce_bug/

#n8n #CyberSecurity #remotecodeexecution

PoC Exploit Released HPE OneView Vulnerability that Enables Remote Code Execution
https://cybersecuritynews.com/poc-exploit-hpe-oneview-vulnerability/

#Infosec #Security #Cybersecurity #CeptBiro #PoCExploit #HPEOneView #Vulnerability #RemoteCodeExecution

🚨 ALERT: FreeBSD's "security" geniuses have discovered that their router advertisements can execute code remotely! 😱💻 But don't worry, they patched it in record time—by repeating the same date and time for every version. 🕒🔧 Bravo, truly groundbreaking work! 👏
https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc #FreeBSD #Security #RemoteCodeExecution #Patch #Genius #Hackers #News #HackerNews #ngated

https://winbuzzer.com/2025/11/25/security-flaw-in-google-antigravity-ide-allows-data-exfiltration-via-prompt-injection-xcxwbn/

Security Flaw in Google Antigravity AI IDE Allows Data Exfiltration via Prompt Injection

#Security #AI #AICoding #Google #Cybersecurity #GoogleGemini #AIAgents #AgenticAI #Antigravity #DataPrivacy #RemoteCodeExecution #PromptInjection #DataExfiltration

Kritische Befehls‑Injection‑Lücke im WordPress‑Plugin W3 Total Cache

Eine schwerwiegende Sicherheitslücke (CVE‑2025‑9501, CVSS‑Score 9.0) wurde im beliebten WordPress‑Caching‑Plugin W3 Total Cache entdeckt. Sie ermöglicht Remote‑Code‑Execution – das heißt, Angreifer können beliebige Befehle auf dem Server ausführen, ohne sich vorher authentifizieren zu müssen.

#wordpress #plugin #w3totalcache #infosec #infosecnews #RemoteCodeExecution

https://beyondmachines.net/event_details/critical-command-injection-flaw-reported-in-w3-total-cache-wordpress-plugin-c-x-1-7-2/gD2P6Ple2L

GoSign Desktop RCE flaws affecting users in Italy

https://www.ush.it/2025/11/14/multiple-vulnerabilities-gosign-desktop-remote-code-execution/

#HackerNews #GoSignDesktop #RCE #Italy #vulnerabilities #cybersecurity #remoteCodeExecution

A tiny flaw in a common math eval library is opening the door to remote attacks across hundreds of projects. How did a simple overlook snowball into a security crisis—and what fixes can save the day?

https://thedefendopsdiaries.com/understanding-and-mitigating-the-expr-eval-javascript-library-rce-vulnerability/

#rce
#javascriptsecurity
#cve202512735
#opensource
#cybersecurity
#vulnerabilitymanagement
#expr-eval
#remotecodeexecution
#securitypatch

🚨 The #CheckPoint Research team uncovered #security #vulnerabilities in #Windows graphics. #CVE-2025-30388 and CVE-2025-53766 are #BufferOverflows enabling #RemoteCodeExecution. CVE-2025-47984 leaks memory over the network due to an incomplete fix.

https://research.checkpoint.com/2025/drawn-to-danger-windows-graphics-vulnerabilities-lead-to-remote-code-execution-and-memory-exposure/

Overlooked WSUS configurations could be your network's Achilles' heel—hackers can seize SYSTEM-level control with zero user input. Microsoft's rapid patch is out. Is your server safe?

https://thedefendopsdiaries.com/critical-wsus-vulnerability-cve-2025-59287-immediate-action-required-to-prevent-network-wide-attacks/

#wsus
#cve202559287
#windowsserver
#remotecodeexecution
#cybersecurity
#patchmanagement
#networksecurity
#microsoftsecurity
#zeroday